weblogic.servlet.security
Class ServletAuthentication

ServletAuthentication allows both form-based authentication and
programmatic authentication in servlets. It performs the
authentication call through the Realm and sets the user information
into the session. The weak() methods are for password authentication
and the strong() methods are for certificate-based authentication.
The latter is available only via two-way SSL connections, based
on the client certificate chain.

done(HttpServletRequest request)
"Logs out" the user in the session by removing the pertinent
data from the sessions the user has logged into and also from the
webserver, without losing other session data.

static void

generateNewSessionID(HttpServletRequest request)
Moves all current session information into a completely different
session ID and re-associates this session with this new ID.

static Cookie

getSessionCookie(HttpServletRequest request,
HttpServletResponse response)
Allows you to get a handle on the session cookie itself.

login(String username,
String password,
HttpServletRequest request,
HttpServletResponse response)
Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after
using the username and password to authenticate the user and setting
that user information into the session.

static boolean

logout(HttpServletRequest req)
"Logs out" the user in the session by removing the pertinent
data from the sessions the user has logged into and also from the
webserver, without losing other session data.

static void

runAs(Subject subject,
HttpServletRequest request)
With a given subject, this method sets the current thread identity and
current session identity.

static int

strong(HttpServletRequest request,
HttpServletResponse response)
Strong authentication using the client-side certificate chain as the
credential for authentication against the "weblogic" (default) realm.

weak(HttpServletRequest request,
HttpServletResponse response)
Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after
pulling the username and password from the request, authenticating
the user and setting it into the session.

weak(String username,
String password,
HttpServletRequest request,
HttpServletResponse response)
Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after
using the username and password to authenticate the user and setting
that user information into the session.

ServletAuthentication

Constructs a ServletAuthentication object that looks for specific
form fields inside the HttpRequest for the username and password.

Method Detail

done

public static void done(HttpServletRequest request)

"Logs out" the user in the session by removing the pertinent
data from the sessions the user has logged into and also from the
webserver, without losing other session data. (This method is functionally
equivalent to logout().)

Parameters:

request - HttpServletRequest which contains the session

logout

public static boolean logout(HttpServletRequest req)

"Logs out" the user in the session by removing the pertinent
data from the sessions the user has logged into and also from the
webserver, without losing other session data.

Parameters:

req - HttpServletRequest

invalidateAll

public static boolean invalidateAll(HttpServletRequest req)

Invalidates all the sessions for the current user only (that is, the current cookie),
and since the cookie is no longer required, kills the cookie too.

assertIdentity

Strong authentication using the client-side certificate chain as the
credential for authentication. This method is similar to "strong" except that
it propogates the LoginException back to the caller. This method also takes
in an AppContext so that callers can pass in additional context information
that can be used by the security providers. The AppContext is passed
onto the security providers as is. It is the responsibility of the caller to
add request and response objects to the AppContext if required.

login

Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after
using the username and password to authenticate the user and setting
that user information into the session. This method is similar to "weak",
except that the LoginException is propogated to caller.

weak

Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after
using the username and password to authenticate the user and setting
that user information into the session.
Note: This method has been deprecated. Use weak(username, password, request)
instead.

Parameters:

username - String

password - String

session - HttpSession

Returns:

int authentication value

authObject

Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after
using the username and credential object to authenticate the user and
setting that user information into the session. This method has been
deprecated. Use authenticate(CallbackHandler, HttpServletRequest) instead.

Parameters:

username - String

credential - String

request - HttpServletRequest

Returns:

int authentication value

authObject

Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION after
using the username and credential object to authenticate the user and
setting that user information into the session. This method has been
deprecated. Use authenticate(CallbackHandler, HttpServletRequest)
instead.

Parameters:

username - String

credential - String

session - HttpSession

Returns:

int authentication value

authenticate

Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION. This method
is expected to be used when you have plugged in custom LoginModules. If the
custom LoginModule is expecting the LoginException to be propogated back, then
use the "login" method instead of "authenticate".
The callback handler that you supply here should be able to handle the
callbacks generated by your LoginModule. This method creates a session
if a session doesn't exist already.

Parameters:

handler - javax.security.auth.callback.CallbackHandler

request - HttpServletRequest

Returns:

int authentication value

login

Returns an int value for AUTHENTICATED or FAILED_AUTHENTICATION. This method
is expected to be used when you have plugged in custom LoginModules. This is
similar to the "authenticate" method, except that this throws a LoginException
back to the caller when authentication fails.
The callback handler that you supply here should be able to handle the
callbacks generated by your LoginModule. This method creates a session
if a session doesn't exist already.

Copyright 1996, 2010, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.